 Hello, I'm Didier Stevens and this is another video with a second example of dosuscation. So with all it done here, the malicious document, it contains macros in stream 8 and 15. So let's select 8 and decompress it like this and here you have the macros and here you can see shell, cm and then on several variables. So this is string concatenation and this here will contain the command to execute and those variables will be found in stream 15. But before we do that, let me show you a new option that I added to OleDump. So here we see all the source code of the VBA code and this here actually these attributes, they are part of the source code but when you open it with the editor, with a visual basic editor in Word for example, this is not displayed because those are properties that you will set through the dialogues and not via code. So what I did is so you have option V to decompress and that's the same option VBA decompress if you take the long option and the new option is VBA decompress skip attributes like this. You see and then you don't see the attributes here. It's starting here at the function X self sub auto open. So that's a new option that we are going to use. So we had stream 15 with the other macros and here there are several strings. So it's similar to the first dosage with our research. I'm going to extract all the strings. So I'm looking for strings str and we also want empty strings and we don't want to quote so unquoted strings like that. That gives us per line all the strings in the VBA code and now let's join this with my set command where we join all those lines. Okay and now here you can see the dos command. So there's a D here and remember that we had cm in the first stream stream 8 so that's cmd and then here the command. Now you might think here okay we are going to convert this simply with numbers to string like this but that doesn't give us the result that we want and that's because those are actually not ascii values of the string. What is going on here is the following. So here you have a z, z, z, u variable and here you have a long string, this string here and what is actually going on is that you have a for loop here like this with the do with all those numbers and percent n here the variable can see that here. So what is happening is here you have z, u the variable which is till the percent n so this is indexed with the number n and we only take one character. So those numbers here actually represent an index into the string and that's how the exact string to be executed is built up and we can also decode this with the PowerShell the following way. So we want to command an expression to execute and we are going to search into this string so it's a Python expression and here between single quotes I'm going to put my string that is being indexed so that is the string here copy paste like this now remark that there is a single quote inside the string itself so we need to escape that sorry like this so and what we are going to do is index our string with the number n and so this expression will yield each time the character that we want. The only thing is that numbers to string actually expects numbers and not characters so we have to look up the numeric value of this character with the ORD function like this okay and we get no output the reason is that an error occurred and by default numbers to string will not show you the error it will skip just the error but with option e you can force it to raise the error okay so here we have the error string index out of range and you can see that the value of n that is causing a string index out of range error is 84 so here at the end we have 84 and 84 is not present in this string I mean that is no index value because the string itself it's just 84 characters and since we start from 0 84 is too long 84 is actually here to start the execution because if you look at the code here you can see if percent n equals 84 then we call the variable so what we have to do is make sure that we don't pass 84 as a value because that's too large and what I'm going to do is a remainder division and the modulus so n will be divided by 84 and we will take the remainder so if we have 84 it will become a 0 and if we have 85 it will become 1 and so on okay and now indeed it is decoded let me repeat a command here at the top like this so here you see the command power shell and here the command to execute and you can see here also that it is being preceded by some other letters and and those actually come from the numbers let me go back here here these actually come from the numbers that you can find in here and so like number 9 here number 0 6 5 8 those numbers are have also been converted so we don't need that so what I'm going to do is say okay we just want to start at 53 that's where we want to start the coding so for number two strings here I no longer need this option e but I'm going to say the beginning is 53 like this and and same thing here at the end you also have numbers that have been converted so I can say the the end end is 84 no sorry I had to add the space here like this and then here we have our decode the only thing here is the L and that's the 84 that has been divided by 84 so the remainder is 0 and 0 is the first letter in the string so that's why the letter L appears here but this way we can exactly decode this DOS fiscated obfuscation by indexing ourself with numbers to string